*  Fix: Do not honor cookies set on a public domain. Previously a malicious site could inject
    cookies on top-level domains like `co.uk` because our cookie parser didn't honor the [public
    suffix][public_suffix] list. Alongside this fix is a new API, `HttpUrl.topPrivateDomain()`,
    which returns the privately domain name if the URL has one.
 *  Fix: Change `MediaType.charset()` to return null for unexpected charsets.